The Budget Line Item That Keeps Getting Cut
Every CISO has fought this battle. The annual budget review comes around and someone in finance asks why the company is paying five figures to have someone try to hack into systems that are already protected by firewalls and endpoint detection. The pentest gets deferred to next quarter. Next quarter becomes next year. Next year becomes never.
Then the breach happens.
This is not a hypothetical pattern. It plays out across every industry, every company size, every geography. The organizations that skip penetration testing are not saving money. They are borrowing against a debt that compounds with interest, and the interest rate is measured in millions of dollars, regulatory fines, lost customers and destroyed reputations.
IBM's 2025 Cost of a Data Breach Report puts the global average at $4.45 million per breach. That number includes direct costs like incident response and legal fees. It includes indirect costs like customer churn and brand damage. It does not include the career cost to the CISO who approved skipping the test that would have caught the vulnerability.
Five Breaches That a Pentest Would Have Caught
The following scenarios are drawn from real incident response engagements. Names and identifying details have been changed. The vulnerabilities are exact.
Scenario 1: The Unpatched VPN Gateway
A mid-market manufacturing firm with 800 employees ran a Fortinet VPN appliance that was two major versions behind on patches. The vulnerability was CVE-2023-27997, a heap-based buffer overflow that allowed remote code execution without authentication. The patch had been available for over a year.
An attacker exploited the VPN, pivoted to the domain controller and deployed ransomware across 340 endpoints in under four hours. The ransom demand was $2.1 million. The company paid $1.4 million after negotiation. Total cost including downtime, forensics and recovery exceeded $3.8 million.
What a pentest would have found: Any external network penetration test would have flagged the outdated VPN firmware within the first hour of reconnaissance. The finding would have been rated Critical. The patch takes less than a maintenance window to apply.
Scenario 2: Default Credentials on a Cloud Management Console
A SaaS company migrated to AWS and left the default administrator credentials on a Jenkins build server that was publicly accessible. The username was "admin" and the password was "admin." An attacker used the Jenkins server to access environment variables containing production database credentials. They exfiltrated 2.3 million customer records over six weeks before detection.
Breach notification costs alone exceeded $900,000. The subsequent class action settlement was $4.2 million. Three enterprise clients terminated their contracts within 90 days.
What a pentest would have found: Default credential checks are part of every standard penetration test methodology. The publicly exposed Jenkins instance would have appeared in initial port scanning. The tester would have attempted default credentials as a matter of routine. Total time to discover this finding: under ten minutes.
Scenario 3: SQL Injection in a Patient Portal
A regional healthcare provider launched a patient portal built by a third-party development shop. The portal had a SQL injection vulnerability in the login form. Not a blind injection requiring sophisticated techniques. A basic error-based injection that returned database contents directly in the browser.
An attacker extracted 145,000 patient records including names, dates of birth, Social Insurance Numbers and medical diagnoses. The HIPAA breach notification process cost $1.2 million. The OCR fine was $2.4 million. The reputational damage to a healthcare provider that could not protect patient data is still being measured.
What a pentest would have found: Web application penetration testing specifically targets injection flaws. This vulnerability would have been caught by automated tooling before the manual testing phase even began. OWASP has ranked injection as a top-ten web application risk for over two decades.
Scenario 4: Lateral Movement Through a Flat Network
A financial services firm with 200 employees had a flat internal network. No segmentation between the corporate Wi-Fi, the accounting department and the servers holding client financial data. An attacker gained initial access through a phishing email, compromised a single workstation and then moved laterally to the file server containing client tax returns and banking information for 12,000 individuals.
The firm reported the breach to FINTRAC and provincial regulators. Client notifications cost $380,000. Legal defense against regulatory action cost $1.1 million. Fourteen clients representing $2.8 million in annual revenue moved to competitors.
What a pentest would have found: An internal network penetration test would have demonstrated the lack of segmentation within the first day. The tester would have shown that any compromised workstation could reach the file servers storing sensitive client data. The remediation recommendation would have been network segmentation, a fundamental control that costs a fraction of the breach.
Scenario 5: Exposed API with No Authentication
A fintech startup deployed a mobile application with a backend API that had no authentication on several endpoints. The endpoints returned full customer profiles including names, addresses, account balances and transaction histories. The API was documented in a Swagger file that was publicly accessible at the default URL.
A security researcher found the exposed API and reported it. The company was fortunate. Had a malicious actor found it first, the exposure of 89,000 customer financial records would have triggered mandatory breach notification under PIPEDA and potentially under state-level regulations for their American customers. The emergency remediation, third-party security audit required by their banking partners and accelerated SOC 2 timeline cost $680,000.
What a pentest would have found: API security testing is a standard component of web application and mobile application penetration tests. The exposed Swagger documentation and unauthenticated endpoints would have been identified during reconnaissance. This is not a subtle finding. It is an open door with a welcome mat.
The Math
The numbers do not require complex financial modeling. They require basic arithmetic.
| Item | Cost |
|---|---|
| Average data breach (IBM 2025) | $4,450,000 |
| External network pentest | $5,000 to $15,000 |
| Web application pentest | $8,000 to $25,000 |
| Internal network pentest | $10,000 to $20,000 |
| Comprehensive annual program (all three) | $25,000 to $60,000 |
Even at the high end, a comprehensive annual penetration testing program costs roughly 1.3% of a single breach. Run the program for ten consecutive years and the total investment is still less than 15% of one average breach event.
But the math gets worse when you factor in what IBM calls the "breach lifecycle." Organizations that identify and contain a breach in under 200 days spend an average of $3.93 million. Organizations that take longer than 200 days spend $4.95 million. Penetration testing shortens identification time because it reveals the attack vectors before they are exploited. Your team knows where to look because the pentest report told them where the weaknesses live.
The Hidden Costs That Never Make the Spreadsheet
- Cyber insurance premium increases
- Insurers are now requiring penetration test reports as a condition of coverage. Organizations without recent pentest documentation face premium increases of 25% to 100% or outright denial of coverage. After a breach that premium increase becomes permanent.
- Regulatory investigation costs
- A breach triggers mandatory investigation by regulators under PIPEDA, HIPAA, PCI DSS or sector-specific frameworks. These investigations consume executive time for months. Legal fees for regulatory defense routinely exceed $500,000.
- Customer acquisition cost increase
- After a public breach, customer acquisition costs increase measurably. Prospects research vendors before signing contracts. A breach disclosure on page one of search results kills deals that your sales team will never know they lost.
- Board and investor confidence
- For publicly traded companies, breaches correlate with stock price declines averaging 3% to 5% in the weeks following disclosure. For private companies seeking funding, a breach history complicates due diligence and depresses valuation.
The Pentest That Never Happened Is the Most Expensive One
There is a phrase in incident response that you hear repeatedly during post-breach reviews: "We were going to do a pentest." The SOW was drafted but never signed. The budget was allocated but redirected. The vendor was selected but the engagement kept getting pushed back.
Every one of the five scenarios above shares a common thread. The organizations knew they should be testing. Some had tested in previous years and let the practice lapse. Others had pentest line items in their security roadmaps that never materialized. None of them made a deliberate decision to accept the risk of not testing. They simply did not make the decision to test and the default state of inaction carried them into a breach.
This is the core argument that every CISO needs to make to their CFO. Skipping a pentest is not a neutral decision. It is an active acceptance of unknown risk. You are choosing to not know what an attacker would find. You are choosing to trust that your defenses are sufficient without verification. You are betting the company that nobody will find the vulnerability that your own team has not looked for.
That is not risk management. That is hope. Hope is not a strategy the board should be comfortable with.
Building the Business Case
If you are a CISO trying to get pentest budget approved, here is the framework that works.
Lead with insurance. Call your cyber insurance broker and ask what happens to your premium if you cannot produce a current penetration test report at renewal. Get that number in writing. It is often enough to justify the pentest cost on its own.
Quantify the breach alternative. Use IBM's Cost of a Data Breach Report and the Sherlock Forensics Breach Cost Calculator to model what a breach would cost your specific organization based on industry, record count and geography. Present the pentest cost as a percentage of the breach cost.
Reference regulatory requirements. If your organization handles payment cards, PCI DSS Requirement 11.3 mandates annual penetration testing. If you are pursuing SOC 2, your auditor will ask for pentest evidence. If you handle health data, NIST Cybersecurity Framework controls that map to penetration testing are referenced in HIPAA security guidance. Compliance is not optional and neither is the testing that supports it.
Frame it as due diligence. Directors and officers have a fiduciary duty to protect the organization. A pentest is evidence of that duty being fulfilled. The absence of testing is evidence of negligence. In post-breach litigation, plaintiff attorneys will ask what security testing was conducted. Having no answer is worse than having a report full of findings.
What Good Looks Like
Organizations with mature security programs treat penetration testing as a recurring operational expense. Not a one-time project. Not an event triggered by an audit finding. A standing engagement that runs annually at minimum and quarterly for high-risk environments.
The cadence matters. Testing once and never again gives you a snapshot that becomes stale within months as your environment changes. New applications get deployed. Cloud configurations drift. Employees leave and their access does not. A penetration test conducted 18 months ago tells you very little about your current attack surface.
The relationship with your testing firm matters too. A firm that has tested your environment over multiple years understands your architecture, your risk tolerance and your remediation capacity. They can focus on what changed rather than re-learning your network from scratch each year. That institutional knowledge makes every subsequent test more valuable than the first.
FAQ
How much does a penetration test cost compared to a data breach?
A penetration test typically costs between $5,000 and $25,000 depending on scope and complexity. The average cost of a data breach in 2025 was $4.45 million according to IBM's Cost of a Data Breach Report. A single pentest can identify vulnerabilities that would cost hundreds of times more to remediate after a breach than before one. Even a comprehensive annual testing program covering external, internal and web application testing rarely exceeds $60,000.
Can a penetration test actually prevent a breach?
Yes. Penetration tests identify exploitable vulnerabilities before attackers find them. Organizations that conduct regular pentests and remediate findings reduce their attack surface significantly. Many of the most damaging breaches in recent years exploited vulnerabilities that a standard penetration test would have flagged including unpatched systems, default credentials and misconfigured access controls. The test itself does not prevent the breach. The remediation that follows the test does.
How often should an organization conduct penetration tests?
At minimum annually and after any major infrastructure change such as a cloud migration, merger or new application deployment. Organizations in regulated industries like finance and healthcare often test quarterly. Compliance frameworks including PCI DSS require annual penetration testing. The cost of testing quarterly is still a fraction of a single breach. Environments that change frequently should test more often because each change introduces potential new vulnerabilities.